The Ugly Return of Virtumonde - The spyware that just keeps coming back

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

The Ugly Return of Virtumonde - The spyware that just keeps coming back

Sometime in the last two weeks or a month, a new variant of Virtumonde (Virtumondo, Vundo, WinFixer) has surfaced that presents some major removal challenges. I'm seeing it most often in conjunction with several other bits of malware (typically Smitfraud, one or more downloaders, keystroke loggers,etc), but I want to talk about Virtumonde first.

First off, the processes for it run in both normal and safe mode. It also detects when HijackThis is run. The detection is done by recognizing the name of the file when it is executed, so renaming hijackthis.exe to hjt.exe, randomname.exe, or whatever, effectively prevents this stealthing strategy from working.

In other words, if you scan an infected system with HijackThis, you end up with a result that shows some evidence of infection, but most of the processes related to the malware won't appear. Renaming HijackThis and running it generates a very different scan result. Your can read more at Major Geeks and Spybot's malware removal forums, plus other sites.

Virtumonde also interferes with some other malware removal tools as well. If you run Smitrem to clear out a Smitfraud infection, Virtumonde will cause the getSTS.exe module of Smitrem to crash. getSTS is the component that is supposed to retrieve a list of all entries in the Shared Task Scheduler. The rest of the tool appears to execute correctly, but fails to remove Smitfraud infections that have inserted themselves into the Shared Task Scheduler.

SmitfraudFix doesn't fare much better. You don't get an error, but the segment of the program log that enumerates programs in Shared Task Scheduler is blank. So, once again, Smitfraud variants that use the Shared Task Scheduler to either reinstall themselves from compressed files, run installation programs to reload themselves, etc. won't be fixed. ComboFix is effected much the same, but since it is somewhat less specialized, it seems to have a higher success rate than Smitrem and SmitfraudFix.

Manual removal can work, but you must have a scan generated by the renamed hijackthis.exe to succeed. Otherwise booting to the Recovery Console and attempting to delete the suspicious files from the hijackthis.exe scan will mostly result in "file not found" errors, and leave behind critical files (since they weren't reported by hijackthis.exe) so the system remains infected. Similarly, if you try to use Kilbox, Unlocker, or HijackThis's "Delete on Reboot" tool, you will find that the utilities don't function.

Killbox, etc. will only be useful if you have a scan from a renamed executable file of HijackThis. Even knowing the full list of files you want to kill requires trial and error. Killbox will only remove infected files if you first kill the process that prevents Killbox from running. Otherwise, Killbox just says that the file(s) you want to kill can't be removed. If you try to delete these files on reboot, Killbox will fail with a message that an external process interrupted the deletion.

Earlier, I said that these infections seem to be part of a package. What appears to be happening more and more is that customers are downloading some utility, screensaver, etc. and the installation infects their machine with many different bits of malware simultaneously. So, downloading that screensaver may hit you with Smitfraud, Virtumonde, AbsoluteKeyLogger, W32.Small.DDX downloader, Accoona, Aconti, and the like all at once. To the tune of 20 or 30 different nasties.

What I want to emphasize is that many of these programs are legitimate, but have been downloaded (along with their "bonus features") from malicious sites, or they are in fact malware listed as "safe" by ostensibly reputable sites.

Let's use Weather Studio as an example. This is yet another one of those ubiquitous tools that provides quick access to weather information and emergency alerts. Spybot 1.5 deletes it, as does A-Squared. In fact, A-Squared's database reports it as major threat. You can download it from many web sites.

But, if you go to CNet's download.com site and search for it, there isn't a listing. However, you see this.

Lookie here, we get sponsored links to two pieces of known spyware! Two links to weather studio, and one to starware; all of whose products are spyware, and are identified and deleted by Ad Aware, Spybot, NOD32, NAV 2007, etc. And from a "trusted" site.

But, it gets even better. Let's say you want a nice screen saver for free. You know that starware, etc. are infected with spyware, so you go to a source your trust: download.com. Forget the ads. CNet would only post content for direct download that is either spyware free or clearly marked as ad-supported, right? maybe.

Check out the Dolphins and Whales reviews. One claims that the screen saver contains spyware, and so does one of my customers.

So, I'm seeing many computers infected with what would seem to be a package of several unusually tenacious pieces of malware that were all installed simultaneously, and, even though Smitfraud is a common infection, Zlob is conspicuous by its absence. The infections don't seem to have occurred from downloading porno video codecs, responding to phishing emails, or any of the expected channels. They came from legitimate programs downloaded from questionable sources, or programs and/or links from sources that are normally considered trustworthy.

So, how do you kill them? First of all, you can eliminate many of the secondary infections by running standard tools, but unless you kill Virtumonde, the system won't be free of infection, and is likely to download new pests. What has worked for me is to disable or uninstall any AV software running on the infected computer and install a trial version of NOD32. The infection will generally prevent it from updating correctly, but you can fix that in a bit.

Don't run a scan yet. Install and update Spybot S&D 1.5 and run it. You may have to install the program and the update from a pendrive or CD. Fix whatever it detects. Then run an online scan from Eset. After it has cleaned or removed any detected infections, update and run NOD32 with an in-depth scan.

At this point you should run a scan with your re-named Hijackthis and remove any suspect entries. Restart the computer, re-scan and the system should be clean. If you want to use a for-pay tool instead of the manual removal and scans with freeware, SpySweeper 5.5 works very well, too.

Of course, in many cases, it may be quicker and easier to restore a back up, but that's a call for the individual tech.

Spybot Search and Destroy This is the download page, you can choose your language on the right. Click the box icon on the right of "Spybot - Search & Destroy 1.5.1 - product description" to download Spybot - Search & Destroy 1.5.1 - product description. Immediately below that are the updates that you can get separately to update Spybot without going online.

Once Spybot is installed, but is not running, double click the update file. If the space for where to install the updates is blank, browse to the Spybot installation directory (usually c:\program files\Spybot - Search & Destroy). Click next and follow the wizard. Spybot should detect the new updates and not ask to go online.

Hey SLGrieb I applaud and thank you for your work on informing us on the problems with virtumonde. I am not sure if you're aware of this but I think everyone would benefit to know a discovery I made as of yesterday. Vundo being the only variant I have come across so far has the ability to infect smitfraudfix and other tools with spyware/malware so once you run them again it reinfects the system. This is just another justification and reason to run NOD32 trial edition before even attempting to use/download these utilities.

OK so vundo and virtumundo are horribly painful programs to remove. Because of this I have researched various sites for fixes and this is the one that works best for me.

*Courtesy of bleepingcomputer.com*

The Vundo family of Trojans is one of the most common infections we find on userís PCís. The infection can cause popups which usually advertise rogue antispyware programs. Some common rogue antispyware programs that are advertised are WinFixer, SysProtect and winantispyware for example. Users are normally targeted by false positives, and warning of infection Ė an example of this could be popups alerting users they are infected with a blackworm virus. The most common method of infection is through outdated versions of the Sun Java platform; older versions are being exploited so it is important to firstly make sure that your Java software is fully up to date. Thankfully, the infection is relatively easy to remove, and a specialised tool has been created to remove the vundo trojan from infected computers. The following guide will explain how to use the tool, and hopefully rid your system of this malware.

Note: This infection is normally detectable by users receiving popups when they use the internet. Your antivirus program might also notify you via an alert that you have a Vundo Trojan on your computer. If you happen to have Hijackthis installed on your computer, you will be able to verify whether you have the Vundo infection, as there will be a matching O2, and O20 entry, with the same randomly named .dll file. In older infections the O2 entry normally contained the word "MSEvents". Please note you normally do not need Hijackthis installed to remove this infection, and the above details may only make sense to experts in this field, so don't panic.

Symptons from a Hijackthis log:

Below is an example of a Vundo infection, though there are many different filenames.

When it has completed downloading, double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will now receive a prompt asking if you want to remove the files, click the YES button. Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will shutdown your computer, click the OK button.

When the computer has shutdown, turn your computer back on.
The WinFixer and Vundo infection should now be removed from your computer.

If you are still having a problem then please perform the following steps.

This step should only be used if the instructions in the previous steps did not remove the infection: Download VirtumundoBegone and save it to your desktop.

Now reboot into Safe Mode.

This can be done tapping the F8 key as soon as you start your computer

You will be brought to a menu where you can choose to boot into safe mode.

Select safe mode with networking using your arrow keys on the keyboard and then press enter.

When you computer reaches the desktop make sure you log in as the same user which you had performed the previous steps,

Once you are logged into safe mode, double-click VirtumundoBeGone.exe file you just downloaded and follow the instructions.

Exit when it has finished, and reboot back to normal mode.
The WinFixer and Vundo infection should now be removed from your computer. Conclusion

If after attempting the instructions in this guide the infection is still present, then it is advised that you post your HijackThis log so one of our experts can help you remove the infection. It may be that you have a new variant that the tools cannot yet remove, or you have a stubborn infection. Instructions on how to post a HijackThis log can be found here:

This is a supplimental review of further infections and recent issues with the vundo variant.

1.Fixes will not work at all unless you go through and update windows first.

2.Run Hijack this but first rename it. Once you find the generated .dll files in the autorun/start up disable them.

3.You must manually download your most recent dat files for your current virus scan and install them. (auto update or the update button on the virus scan is not reliable in this scenario) Then run the virus scan.

4. For this step you should make is to delete/uninstall ad-aware, spybot sd, smitfraud fix, and all other tools on the computer and absolutely do not run them. (the reason behind this is the authors of vundo have made it infect the programs and they are carriers after the primary infection)

5. Download fresh copies of your spyware removal either onto a CD from another computer or with a thumb drive from another computer. Reinstall these programs and then run them to do any supplimental cleaning.

can you send the file to my mail address ? PM if you still have it . Dunno which of the files it is .

lolz ...all the after the description ...to make your overly horny to get the superb file

Sorry, I didn't understand that post at all. Anyway, this stickie is pushing 5 years old now, and the landscape has changed so much it's like I was writing about the Jurassic Period in retrospect. Well, it was relevant back in the day.

Yes, Mr. Death... I'll play you a game! But not CHESS !!! BAH... FOOEY! My game is... WIFFLEBALL!

Sorry, I didn't understand that post at all. Anyway, this stickie is pushing 5 years old now, and the landscape has changed so much it's like I was writing about the Jurassic Period in retrospect. Well, it was relevant back in the day.

Me love you long time

One Script to rule them all.
One Script to find them.
One Script to bring them all,
and clean up after itself.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.